openssl/openssl-1.0.1k-ephemeral-key-size.patch

diff -up openssl-1.0.1k/apps/s_apps.h.ephemeral openssl-1.0.1k/apps/s_apps.h
--- openssl-1.0.1k/apps/s_apps.h.ephemeral	2015-01-09 10:22:03.289896211 +0100
+++ openssl-1.0.1k/apps/s_apps.h	2015-01-09 10:22:03.373898111 +0100
@@ -156,6 +156,7 @@ int MS_CALLBACK verify_callback(int ok,
 int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file);
 int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key);
 #endif
+int ssl_print_tmp_key(BIO *out, SSL *s);
 int init_client(int *sock, char *server, char *port, int type);
 int should_retry(int i);
 int extract_host_port(char *str,char **host_ptr,char **port_ptr);
diff -up openssl-1.0.1k/apps/s_cb.c.ephemeral openssl-1.0.1k/apps/s_cb.c
--- openssl-1.0.1k/apps/s_cb.c.ephemeral	2015-01-08 15:00:36.000000000 +0100
+++ openssl-1.0.1k/apps/s_cb.c	2015-01-09 10:22:03.373898111 +0100
@@ -338,6 +338,38 @@ void MS_CALLBACK apps_ssl_info_callback(
 		}
 	}
 
+int ssl_print_tmp_key(BIO *out, SSL *s)
+	{
+	EVP_PKEY *key;
+	if (!SSL_get_server_tmp_key(s, &key))
+		return 1;
+	BIO_puts(out, "Server Temp Key: ");
+	switch (EVP_PKEY_id(key))
+		{
+	case EVP_PKEY_RSA:
+		BIO_printf(out, "RSA, %d bits\n", EVP_PKEY_bits(key));
+		break;
+
+	case EVP_PKEY_DH:
+		BIO_printf(out, "DH, %d bits\n", EVP_PKEY_bits(key));
+		break;
+
+	case EVP_PKEY_EC:
+			{
+			EC_KEY *ec = EVP_PKEY_get1_EC_KEY(key);
+			int nid;
+			const char *cname;
+			nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
+			EC_KEY_free(ec);
+			cname = OBJ_nid2sn(nid);
+			BIO_printf(out, "ECDH, %s, %d bits\n",
+						cname, EVP_PKEY_bits(key));
+			}
+		}
+	EVP_PKEY_free(key);
+	return 1;
+	}
+		
 
 void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg)
 	{
diff -up openssl-1.0.1k/apps/s_client.c.ephemeral openssl-1.0.1k/apps/s_client.c
--- openssl-1.0.1k/apps/s_client.c.ephemeral	2015-01-09 10:22:03.367897975 +0100
+++ openssl-1.0.1k/apps/s_client.c	2015-01-09 10:22:03.373898111 +0100
@@ -2058,6 +2058,8 @@ static void print_stuff(BIO *bio, SSL *s
 			BIO_write(bio,"\n",1);
 			}
 
+		ssl_print_tmp_key(bio, s);
+
 		BIO_printf(bio,"---\nSSL handshake has read %ld bytes and written %ld bytes\n",
 			BIO_number_read(SSL_get_rbio(s)),
 			BIO_number_written(SSL_get_wbio(s)));
diff -up openssl-1.0.1k/ssl/ssl.h.ephemeral openssl-1.0.1k/ssl/ssl.h
--- openssl-1.0.1k/ssl/ssl.h.ephemeral	2015-01-09 10:22:03.358897772 +0100
+++ openssl-1.0.1k/ssl/ssl.h	2015-01-09 10:25:08.644088146 +0100
@@ -1593,6 +1593,7 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 #define SSL_CTRL_GET_EXTRA_CHAIN_CERTS		82
 #define SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS	83
 
+#define SSL_CTRL_GET_SERVER_TMP_KEY		109
 #define SSL_CTRL_CHECK_PROTO_VERSION		119
 #define DTLS_CTRL_SET_LINK_MTU			120
 #define DTLS_CTRL_GET_LINK_MIN_MTU		121
@@ -1638,6 +1639,9 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 #define SSL_CTX_clear_extra_chain_certs(ctx) \
 	SSL_CTX_ctrl(ctx,SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS,0,NULL)
 
+#define SSL_get_server_tmp_key(s, pk) \
+	SSL_ctrl(s,SSL_CTRL_GET_SERVER_TMP_KEY,0,pk)
+
 #ifndef OPENSSL_NO_BIO
 BIO_METHOD *BIO_f_ssl(void);
 BIO *BIO_new_ssl(SSL_CTX *ctx,int client);
diff -up openssl-1.0.1k/ssl/s3_lib.c.ephemeral openssl-1.0.1k/ssl/s3_lib.c
--- openssl-1.0.1k/ssl/s3_lib.c.ephemeral	2015-01-08 15:00:56.000000000 +0100
+++ openssl-1.0.1k/ssl/s3_lib.c	2015-01-09 10:22:03.374898133 +0100
@@ -3356,6 +3356,45 @@ long ssl3_ctrl(SSL *s, int cmd, long lar
 
 #endif /* !OPENSSL_NO_TLSEXT */
 
+	case SSL_CTRL_GET_SERVER_TMP_KEY:
+		if (s->server || !s->session || !s->session->sess_cert)
+			return 0;
+		else
+			{
+			SESS_CERT *sc;
+			EVP_PKEY *ptmp;
+			int rv = 0;
+			sc = s->session->sess_cert;
+#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_EC)
+			if (!sc->peer_rsa_tmp && !sc->peer_dh_tmp
+							&& !sc->peer_ecdh_tmp)
+				return 0;
+#endif
+			ptmp = EVP_PKEY_new();
+			if (!ptmp)
+				return 0;
+			if (0);
+#ifndef OPENSSL_NO_RSA
+			else if (sc->peer_rsa_tmp)
+				rv = EVP_PKEY_set1_RSA(ptmp, sc->peer_rsa_tmp);
+#endif
+#ifndef OPENSSL_NO_DH
+			else if (sc->peer_dh_tmp)
+				rv = EVP_PKEY_set1_DH(ptmp, sc->peer_dh_tmp);
+#endif
+#ifndef OPENSSL_NO_ECDH
+			else if (sc->peer_ecdh_tmp)
+				rv = EVP_PKEY_set1_EC_KEY(ptmp, sc->peer_ecdh_tmp);
+#endif
+			if (rv)
+				{
+				*(EVP_PKEY **)parg = ptmp;
+				return 1;
+				}
+			EVP_PKEY_free(ptmp);
+			return 0;
+			}
+
 	case SSL_CTRL_CHECK_PROTO_VERSION:
 		/* For library-internal use; checks that the current protocol
 		 * is the highest enabled version (according to s->ctx->method,
new upstream release fixing multiple security issues 2015-01-09 09:54:51 +00:00			`diff -up openssl-1.0.1k/apps/s_apps.h.ephemeral openssl-1.0.1k/apps/s_apps.h`
			`--- openssl-1.0.1k/apps/s_apps.h.ephemeral 2015-01-09 10:22:03.289896211 +0100`
			`+++ openssl-1.0.1k/apps/s_apps.h 2015-01-09 10:22:03.373898111 +0100`
print ephemeral key size negotiated in TLS handshake (#1057715) - add DH_compute_key_padded needed for FIPS CAVS testing 2014-02-12 15:20:03 +00:00			`@@ -156,6 +156,7 @@ int MS_CALLBACK verify_callback(int ok,`
			`int set_cert_stuff(SSL_CTX ctx, char cert_file, char *key_file);`
			`int set_cert_key_stuff(SSL_CTX ctx, X509 cert, EVP_PKEY *key);`
			`#endif`
			`+int ssl_print_tmp_key(BIO out, SSL s);`
			`int init_client(int sock, char server, char *port, int type);`
			`int should_retry(int i);`
			`int extract_host_port(char str,char host_ptr,char *port_ptr);`
new upstream release fixing multiple security issues 2015-01-09 09:54:51 +00:00			`diff -up openssl-1.0.1k/apps/s_cb.c.ephemeral openssl-1.0.1k/apps/s_cb.c`
			`--- openssl-1.0.1k/apps/s_cb.c.ephemeral 2015-01-08 15:00:36.000000000 +0100`
			`+++ openssl-1.0.1k/apps/s_cb.c 2015-01-09 10:22:03.373898111 +0100`
print ephemeral key size negotiated in TLS handshake (#1057715) - add DH_compute_key_padded needed for FIPS CAVS testing 2014-02-12 15:20:03 +00:00			`@@ -338,6 +338,38 @@ void MS_CALLBACK apps_ssl_info_callback(`
			`}`
			`}`

			`+int ssl_print_tmp_key(BIO out, SSL s)`
			`+ {`
			`+ EVP_PKEY *key;`
			`+ if (!SSL_get_server_tmp_key(s, &key))`
			`+ return 1;`
			`+ BIO_puts(out, "Server Temp Key: ");`
			`+ switch (EVP_PKEY_id(key))`
			`+ {`
			`+ case EVP_PKEY_RSA:`
			`+ BIO_printf(out, "RSA, %d bits\n", EVP_PKEY_bits(key));`
			`+ break;`
			`+`
			`+ case EVP_PKEY_DH:`
			`+ BIO_printf(out, "DH, %d bits\n", EVP_PKEY_bits(key));`
			`+ break;`
			`+`
			`+ case EVP_PKEY_EC:`
			`+ {`
			`+ EC_KEY *ec = EVP_PKEY_get1_EC_KEY(key);`
			`+ int nid;`
			`+ const char *cname;`
			`+ nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));`
			`+ EC_KEY_free(ec);`
			`+ cname = OBJ_nid2sn(nid);`
			`+ BIO_printf(out, "ECDH, %s, %d bits\n",`
			`+ cname, EVP_PKEY_bits(key));`
			`+ }`
			`+ }`
			`+ EVP_PKEY_free(key);`
			`+ return 1;`
			`+ }`
			`+`

			`void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void buf, size_t len, SSL ssl, void *arg)`
			`{`
new upstream release fixing multiple security issues 2015-01-09 09:54:51 +00:00			`diff -up openssl-1.0.1k/apps/s_client.c.ephemeral openssl-1.0.1k/apps/s_client.c`
			`--- openssl-1.0.1k/apps/s_client.c.ephemeral 2015-01-09 10:22:03.367897975 +0100`
			`+++ openssl-1.0.1k/apps/s_client.c 2015-01-09 10:22:03.373898111 +0100`
			`@@ -2058,6 +2058,8 @@ static void print_stuff(BIO bio, SSL s`
print ephemeral key size negotiated in TLS handshake (#1057715) - add DH_compute_key_padded needed for FIPS CAVS testing 2014-02-12 15:20:03 +00:00			`BIO_write(bio,"\n",1);`
			`}`

			`+ ssl_print_tmp_key(bio, s);`
			`+`
			`BIO_printf(bio,"---\nSSL handshake has read %ld bytes and written %ld bytes\n",`
			`BIO_number_read(SSL_get_rbio(s)),`
			`BIO_number_written(SSL_get_wbio(s)));`
new upstream release fixing multiple security issues 2015-01-09 09:54:51 +00:00			`diff -up openssl-1.0.1k/ssl/ssl.h.ephemeral openssl-1.0.1k/ssl/ssl.h`
			`--- openssl-1.0.1k/ssl/ssl.h.ephemeral 2015-01-09 10:22:03.358897772 +0100`
			`+++ openssl-1.0.1k/ssl/ssl.h 2015-01-09 10:25:08.644088146 +0100`
			`@@ -1593,6 +1593,7 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)`
print ephemeral key size negotiated in TLS handshake (#1057715) - add DH_compute_key_padded needed for FIPS CAVS testing 2014-02-12 15:20:03 +00:00			`#define SSL_CTRL_GET_EXTRA_CHAIN_CERTS 82`
			`#define SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS 83`

			`+#define SSL_CTRL_GET_SERVER_TMP_KEY 109`
new upstream release fixing multiple security issues 2014-10-16 11:50:08 +00:00			`#define SSL_CTRL_CHECK_PROTO_VERSION 119`
new upstream release fixing multiple security issues 2015-01-09 09:54:51 +00:00			`#define DTLS_CTRL_SET_LINK_MTU 120`
			`#define DTLS_CTRL_GET_LINK_MIN_MTU 121`
			`@@ -1638,6 +1639,9 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)`
print ephemeral key size negotiated in TLS handshake (#1057715) - add DH_compute_key_padded needed for FIPS CAVS testing 2014-02-12 15:20:03 +00:00			`#define SSL_CTX_clear_extra_chain_certs(ctx) \`
			`SSL_CTX_ctrl(ctx,SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS,0,NULL)`

			`+#define SSL_get_server_tmp_key(s, pk) \`
			`+ SSL_ctrl(s,SSL_CTRL_GET_SERVER_TMP_KEY,0,pk)`
			`+`
			`#ifndef OPENSSL_NO_BIO`
			`BIO_METHOD *BIO_f_ssl(void);`
			`BIO BIO_new_ssl(SSL_CTX ctx,int client);`
new upstream release fixing multiple security issues 2015-01-09 09:54:51 +00:00			`diff -up openssl-1.0.1k/ssl/s3_lib.c.ephemeral openssl-1.0.1k/ssl/s3_lib.c`
			`--- openssl-1.0.1k/ssl/s3_lib.c.ephemeral 2015-01-08 15:00:56.000000000 +0100`
			`+++ openssl-1.0.1k/ssl/s3_lib.c 2015-01-09 10:22:03.374898133 +0100`
new upstream release fixing multiple security issues 2014-10-16 11:50:08 +00:00			`@@ -3356,6 +3356,45 @@ long ssl3_ctrl(SSL *s, int cmd, long lar`
print ephemeral key size negotiated in TLS handshake (#1057715) - add DH_compute_key_padded needed for FIPS CAVS testing 2014-02-12 15:20:03 +00:00
			`#endif /* !OPENSSL_NO_TLSEXT */`
new upstream release fixing multiple security issues 2014-10-16 11:50:08 +00:00
print ephemeral key size negotiated in TLS handshake (#1057715) - add DH_compute_key_padded needed for FIPS CAVS testing 2014-02-12 15:20:03 +00:00			`+ case SSL_CTRL_GET_SERVER_TMP_KEY:`
			`+ if (s->server \|\| !s->session \|\| !s->session->sess_cert)`
			`+ return 0;`
			`+ else`
			`+ {`
			`+ SESS_CERT *sc;`
			`+ EVP_PKEY *ptmp;`
			`+ int rv = 0;`
			`+ sc = s->session->sess_cert;`
			`+#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_EC)`
			`+ if (!sc->peer_rsa_tmp && !sc->peer_dh_tmp`
			`+ && !sc->peer_ecdh_tmp)`
			`+ return 0;`
			`+#endif`
			`+ ptmp = EVP_PKEY_new();`
			`+ if (!ptmp)`
			`+ return 0;`
			`+ if (0);`
			`+#ifndef OPENSSL_NO_RSA`
			`+ else if (sc->peer_rsa_tmp)`
			`+ rv = EVP_PKEY_set1_RSA(ptmp, sc->peer_rsa_tmp);`
			`+#endif`
			`+#ifndef OPENSSL_NO_DH`
			`+ else if (sc->peer_dh_tmp)`
			`+ rv = EVP_PKEY_set1_DH(ptmp, sc->peer_dh_tmp);`
			`+#endif`
			`+#ifndef OPENSSL_NO_ECDH`
			`+ else if (sc->peer_ecdh_tmp)`
			`+ rv = EVP_PKEY_set1_EC_KEY(ptmp, sc->peer_ecdh_tmp);`
			`+#endif`
			`+ if (rv)`
			`+ {`
			`+ (EVP_PKEY *)parg = ptmp;`
			`+ return 1;`
			`+ }`
			`+ EVP_PKEY_free(ptmp);`
			`+ return 0;`
			`+ }`
new upstream release fixing multiple security issues 2014-10-16 11:50:08 +00:00			`+`
			`case SSL_CTRL_CHECK_PROTO_VERSION:`
			`/* For library-internal use; checks that the current protocol`
			`* is the highest enabled version (according to s->ctx->method,`